Storing paper medical records requires a combination of physical security, environmental controls, organized filing, and a clear retention schedule. Whether you run a small practice or manage records for a larger facility, the basics are the same: keep records locked, dry, organized, and accessible only to authorized staff. Here’s how to do each of those things well.
Physical Security Requirements
HIPAA’s Physical Safeguards standard requires covered entities to limit physical access to facilities where protected health information is stored, while still allowing authorized personnel to reach what they need. In practical terms, that means your records storage area should have locked doors at minimum. Depending on the size of your operation, you may also want electronic access controls, surveillance cameras, or alarm systems. The goal is simple: no one should be able to walk into a records room without authorization.
For smaller practices, a locked filing cabinet in a room that isn’t accessible to patients or visitors may be sufficient. Larger operations typically need a dedicated records room with a keypad or badge reader on the door. Whichever setup you use, keep a written policy that spells out who has access, how keys or codes are distributed, and what happens when an employee leaves.
Tracking Who Pulls a Record
Every time a paper chart leaves its filing location, you need a way to know who took it and when. A sign-out log is the simplest approach. Each entry should capture the patient’s name or record number, the name of the person removing the file, the date and time it was checked out, and the date it was returned. Some offices use an outguide, a placeholder card that sits in the file’s spot and displays the same information at a glance.
This audit trail serves two purposes. It helps you find a missing chart quickly, and it creates a record of access that you can review if a privacy concern arises. Digital sign-out systems exist, but a paper log works fine as long as it’s used consistently.
Organizing Your Filing System
For a small practice with a few hundred active charts, alphabetical filing by last name is straightforward and easy to maintain. Once you grow beyond a few thousand records, though, alphabetical systems start to break down. Common last names cluster together, making certain sections of your filing area crowded while others sit nearly empty. Misfiling rates climb because staff rush through congested areas.
Terminal digit filing solves these problems and is the standard in most hospitals. Instead of filing a record by its full number in sequence, you break the medical record number into segments and file based on the last two digits. For example, records numbered 346371, 346372, and 346373 would be filed in sections 71, 72, and 73 respectively. Only every 100th new record ends up in the same primary section, which distributes files evenly across the entire storage area. This relieves congestion, lets multiple staff members file simultaneously in different sections, and makes quality control easier because you can assign each person responsibility for specific sections. It also eliminates the need to shift large blocks of records to make room for new ones, since additions and removals happen at roughly the same pace across all sections.
Temperature, Humidity, and Light
Paper degrades faster than most people realize when storage conditions are poor. The Library of Congress recommends keeping paper documents in a cool environment (room temperature or below), at roughly 35% relative humidity, in a clean and stable space. Avoid attics, basements, and any location prone to leaks or temperature swings. High humidity promotes mold growth, which can destroy records in a matter of weeks. Low humidity makes paper brittle over time.
If your records room doesn’t have its own climate control, at minimum place a hygrometer in the space and check it regularly. A portable dehumidifier can help in humid climates. Keep records off the floor, ideally on shelving that starts at least four to six inches above ground level, to protect against minor flooding. Direct sunlight fades ink and weakens paper fibers, so use window coverings or store records in opaque containers if the room has windows.
Fire Protection for Paper Records
Paper ignites at about 420°F. Filing cabinets and safes designed to protect paper records carry a UL Class 350 rating, meaning the interior temperature never exceeds 350°F during fire testing. That 70-degree margin provides a buffer that keeps documents intact even if the room around them is engulfed.
Class 350 products come in time ratings ranging from 30 minutes to 4 hours. A one-hour rating is common for office environments, but your choice should reflect how quickly your local fire department can respond and how long a fire could burn before suppression begins. For critical original documents that can’t be replaced, a two-hour or four-hour rated cabinet is worth the investment. Combine fire-rated storage with a sprinkler system in the records room whenever possible, and keep fire extinguishers nearby.
How Long You Must Keep Records
Federal law sets the floor: hospitals participating in Medicare must retain medical records for at least five years from the date of service. But state laws frequently exceed that minimum, and your state’s requirement is the one that governs your practice.
Michigan, for example, requires a minimum of seven years for most medical records. Some states set the retention clock differently for minors, often requiring records to be kept until the patient reaches the age of majority plus an additional number of years. The practical takeaway is that you need to check your own state’s statute and use whichever retention period is longest, whether that comes from federal rules, state law, or your malpractice insurer’s recommendations. Many practices default to ten years as a safe general policy.
Build a retention schedule into your filing system. Color-coded year labels on folders make it easy to identify which records have reached their retention deadline during periodic purges.
Secure Destruction When Retention Expires
When records reach the end of their required retention period, you can’t just toss them in the recycling bin. HIPAA requires that protected health information be rendered unreadable before disposal. For paper, that means shredding, burning, or pulping.
The most stringent federal standard, aligned with NIST guidelines, calls for cross-cut shredding to a particle size of 1 mm by 5 mm or smaller. That’s roughly the size of a small grain of rice. Standard strip-cut shredders don’t meet this threshold. If your shredder produces larger particles, the shredded material must be protected as if it were still intact until it reaches final destruction through burning or pulping. Many practices contract with certified document destruction companies that provide locked collection bins and certificates of destruction. If you go that route, make sure the vendor’s equipment meets the particle size requirement before the material leaves a secured environment.
Using Off-Site Storage Facilities
When your on-site space fills up, commercial records storage is a practical option for inactive charts. Under HIPAA, any third-party storage provider that handles your records is considered a business associate, and you must have a signed Business Associate Agreement in place before transferring any files.
That agreement must cover several specific points: it defines what the storage company is allowed to do with the records, prohibits any use or disclosure beyond what the contract permits, requires the company to implement appropriate safeguards against unauthorized access, obligates them to report any breach of unsecured information, and ensures they’ll make records available when patients request copies or amendments. The agreement must also require the company to return or destroy all records at the end of the contract and to impose the same restrictions on any subcontractors.
Before signing with a provider, visit the facility. Confirm that it has climate control, fire suppression, restricted access, and pest management. Ask about their retrieval turnaround time, since you may need a record back within hours for patient care or a legal request. A facility that takes three business days to deliver a file may not meet your operational needs.
Creating Backup Copies
Paper records are vulnerable in ways digital files aren’t. A single flood, fire, or break-in can destroy years of documentation. Scanning critical records and storing digital copies in an encrypted, HIPAA-compliant system provides a safety net. You don’t necessarily need to digitize your entire archive at once. Start with active patient charts, records involved in ongoing treatment, and any documents that would be difficult or impossible to reconstruct, such as signed consent forms and original diagnostic reports.
If full digitization isn’t feasible, consider microfilm or microfiche for long-term archival storage. Both are recognized as legally reproduced forms under federal retention rules and can survive decades in proper storage conditions.